A great read even with the misleading headline...
https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/
Two security researchers from Watchtowr labs had a fun night in Vegas (no not that kind) and managed to find some fundamental flows in the way a top-level domain (TLD) is used. The entire story is full of "well this wouldn't be a problem, except…" moments. Fortunately they are the "good guys" and did not actually partake in any of the threat actor actions they might have.
Several times in the report they mention that "if we can do it, anyone can do it." This begs the question, does this vulnerability exist with other TLDs and if so, has it been compromised?
This is exactly the purpose of influence energy, to break down a threat vector, determine which components it uses and give a Fermi estimate of the resources involved in executing it.
Spoiler alert, it would take a bit more than the $20 referenced in their headline!
---
The authors began with a hypthesis about the possibility for novel exploits in the WHOIS client (IE4). This is a simple utility that queries domains to find out email and IP addresses associated with owners of a domain. They were able to find a theoretical entrypoint but needed to find a way to get the data into a client…nominally from a WHOIS server.
To actually pull off this attack, you must identify a WHOIS server for a top level domain. The rest of the paper is predicated on having control of such a server.
In their case, the whois domain for the .mobi TLD had recently moved and the original domain was now available for registration. Fortuitously this was only $20 to purchase (IE0). Before you get too worried know that the IE required jumps dramatically after this.
Another option is to exploit or otherwise compromise the WHOIS server, but this would require a zero day exploit or comparable bespoke effort against the operator. Either way, this would be an IE4+ type operation because it relies on exploit development skills and advanced intelligence gathering.
With the whois domain under control, they next deployed an actual WHOIS server to log queries. This is IE2, relying only on system and application administration along with the protocol knowledge.
The authors determined through whois log analysis that several Certificate Authorities were still querying them for domain validation (remember this is an old domain). By subverting the whois responses in an altered way (IE3) they were able to falsify records and show that their email address could be used to verify arbitrary .mobi domains.
If you wanted to use this capability to actually take over something you would need one of:
- Bespoke Man in the middle content injection (IE5)
- Bespoke Man in the middle content collection (IE4) - looking for sensitive content or credentials
- Rogue server, with valid TLS cert, for bespoke phishing (IE3)
Finally, they looked for attack avenues including public CVEs (IE2). Altering one of these would be IE3, or going all the way to a bespoke exploit would be IE4.
It's also worth noting that they authors of the research are themselves experienced security professionals with an estimated Influence Energy of 4 (10,000 hours) making anything they deem "easy" still out of reach for lower level threat actors.
To their credit, the authors do address the difficulty required of the attack:
"The reality was that in order for an attacker to carry out an attack against a WHOIS client, they’d need one of the following:
- A Man-In-The-Middle (MiTM) attack, which requires the ability to hijack WHOIS traffic at the network layer - out of reach for all but the most advanced of APTs, [IE5]
- Access to the WHOIS servers themselves, which is plausible but unlikely, or [IE4]
- A WHOIS referral to a server they control.
I appreciate the work they and others like them do to draw attention to see if theoretical attacks can be actually done. That is the focus of security energy, everything is possible but at what cost?
Stay tuned for more updates and my github published analysis of every MITRE ATT&CK technique!